Security Program and Policies
Principles and Practices
by Sari Stern Greene
Chapter 7: Physical & Environmental Security
1
Copyright 2014 Pearson Education, Inc.
2
Objectives
Define the concept of physical security and how it relates to information security
Evaluate the security requirements of facilities, offices, and equipment
Understand the environmental risks posed to physical structures, areas within those structures, and equipment
Enumerate the vulnerabilities related to reusing and disposing of equipment
Recognize the risk posed by the loss or theft of mobile devices and media
Develop policies designed to ensure the physical environmental security of information, information systems, and information processing and storage facilities
2
Understanding the Secure Facility Layered Defense Model
If an intruder bypasses one layer of controls, the next layer should provide additional defense and detection capabilities
Both physical and psychological
The appearance of security is deterrent
Copyright 2014 Pearson Education, Inc.
3
Copyright 2014 Pearson Education, Inc.
4
How to Secure the Site
All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection
From what are we protecting information assets?
Theft
Malicious destruction
Accidental damage
Damage that results from natural disasters
4
How to Secure the Site cont.
The design of a secure site starts with the location
Location-based threats
Political stability
Susceptibility to terrorism
Crime rate in the area
Roadways and flight paths
Utility stability
Vulnerability to natural disasters
Critical information processing facilities should be inconspicuous and unremarkable
Copyright 2014 Pearson Education, Inc.
5
Copyright 2014 Pearson Education, Inc.
6
How to Secure the Site Cont.
The physical perimeter can be protected using:
Berms
Fences
Gates
Bollards
Man traps
Illuminated entrances, exits, pathways, and parking areas
Manned reception desk
Cameras, closed-circuit TV, alarms, motion sensors
Security guards
6
Copyright 2014 Pearson Education, Inc.
7
How Is Physical Access Controlled?
Physical entry controls:
Access control rules should be designed for:
Employees
Third-party contractors/partners/vendors
Visitors
Visitors should be required to wear identification that can be evaluated from a distance, such as a badge
Identification should start as soon as a person attempts to gain entry
7
Copyright 2014 Pearson Education, Inc.
8
How Is Physical Access Controlled? Cont.
Physical entry controls:
Authorized users should be authorized prior to gaining access to protected area
Visitors should be identified, labeled, and authorized prior to gaining access to protected area
An audit trail should be created
8
Copyright 2014 Pearson Education, Inc.
9
Securing Offices, Rooms, and Facilities
The outer physical .
ICT role in 21st century education and it's challenges.
Security Program and PoliciesPrinciples and Practicesby Sari.docx
1. Security Program and Policies
Principles and Practices
by Sari Stern Greene
Chapter 7: Physical & Environmental Security
1
Copyright 2014 Pearson Education, Inc.
2
Objectives
Define the concept of physical security and how it relates to
information security
Evaluate the security requirements of facilities, offices, and
equipment
Understand the environmental risks posed to physical
structures, areas within those structures, and equipment
Enumerate the vulnerabilities related to reusing and disposing
of equipment
Recognize the risk posed by the loss or theft of mobile devices
and media
Develop policies designed to ensure the physical environmental
security of information, information systems, and information
processing and storage facilities
2. 2
Understanding the Secure Facility Layered Defense Model
If an intruder bypasses one layer of controls, the next layer
should provide additional defense and detection capabilities
Both physical and psychological
The appearance of security is deterrent
Copyright 2014 Pearson Education, Inc.
3
Copyright 2014 Pearson Education, Inc.
4
How to Secure the Site
All implemented controls to physically protect information are
dictated first by a thorough analysis of the company’s risks and
vulnerabilities, along with the value of the information that
requires protection
From what are we protecting information assets?
Theft
Malicious destruction
Accidental damage
Damage that results from natural disasters
4
How to Secure the Site cont.
The design of a secure site starts with the location
Location-based threats
Political stability
3. Susceptibility to terrorism
Crime rate in the area
Roadways and flight paths
Utility stability
Vulnerability to natural disasters
Critical information processing facilities should be
inconspicuous and unremarkable
Copyright 2014 Pearson Education, Inc.
5
Copyright 2014 Pearson Education, Inc.
6
How to Secure the Site Cont.
The physical perimeter can be protected using:
Berms
Fences
Gates
Bollards
Man traps
Illuminated entrances, exits, pathways, and parking areas
Manned reception desk
Cameras, closed-circuit TV, alarms, motion sensors
Security guards
6
Copyright 2014 Pearson Education, Inc.
7
How Is Physical Access Controlled?
Physical entry controls:
4. Access control rules should be designed for:
Employees
Third-party contractors/partners/vendors
Visitors
Visitors should be required to wear identification that can be
evaluated from a distance, such as a badge
Identification should start as soon as a person attempts to gain
entry
7
Copyright 2014 Pearson Education, Inc.
8
How Is Physical Access Controlled? Cont.
Physical entry controls:
Authorized users should be authorized prior to gaining access to
protected area
Visitors should be identified, labeled, and authorized prior to
gaining access to protected area
An audit trail should be created
8
Copyright 2014 Pearson Education, Inc.
9
Securing Offices, Rooms, and Facilities
The outer physical perimeter is not the only focus of the
5. physical security policy
Workspaces should be classified based on the level of
protection required
Some internal rooms and offices must be protected differently
Parts of individual rooms may also require different levels of
protection, such as cabinets and closets
9
Copyright 2014 Pearson Education, Inc.
10
Working in Secure Areas
Goal: Define behavioral and physical controls for the most
sensitive workspaces within information processing facilities
Policy controls are in addition to – and not in place of –
existing physical controls, unless they supersede them
Policy should include devices not allowed on premises, such as
cameras, smartphones, tablets, and USB drives
Sensitive documents should be secured from viewing by
unauthorized personnel while not in use
Copiers, scanners, and fax machines should be located in
nonpublic areas and require use codes
10
Copyright 2014 Pearson Education, Inc.
11
Protecting Equipment
6. Both company and employee-owned equipment should be
protected
Hardware assets must be protected from:
Theft
Power spikes
Power loss
One way to reduce power consumption is to purchase Energy
Star certified devices
11
Copyright 2014 Pearson Education, Inc.
12
Protecting Equipment Cont.
Potential power problems include:
Brownout: Period of low voltage
Power surge: Increase in voltage
Blackout: Interruption or loss of power
Power equipment that can be used:
Uninterruptible Power Supply
Back-up power supplies
Power conditioners
Voltage regulators
Isolation transformers
Line filters
Surge protection equipment
7. 12
How Dangerous Is Fire?
Three elements to fire protection
Fire prevention controls
Active
Passive
Fire detection
Fire containment and suppression
Involves responding to the fire
Specific to file classification
Class A
Class B
Class C
Class D
Copyright 2014 Pearson Education, Inc.
13
Copyright 2014 Pearson Education, Inc.
14
What About Disposal?
Formatting a hard drive or deleting files does not mean that the
data located on that drive cannot be retrieved
All computers that are discarded must be sanitized prior to
being disposed of
Policy should be crafted to disallow access to information
through improper disposal or reuse of equipment
Disk wiping
Degaussing
Destruction
8. 14
Copyright 2014 Pearson Education, Inc.
15
Summary
The physical perimeter of the company must be secured.
Some internal rooms and offices must be identified as needing
more security controls than others. These controls must be
deployed.
Environment threats such as power loss must be taken into
account and the proper hardware must be deployed.
A clean screen and desk policy is important to protect the
confidentiality of company-owned data.
15
Security Program and Policies
Principles and Practices
by Sari Stern Greene
Chapter 6: Human Resources Security
9. 1
Copyright 2014 Pearson Education, Inc.
2
Objectives
Define the relationship between information security and
personnel practices
Recognize the stages of the employee lifecycle
Describe the purpose of confidentiality and acceptable use
agreements
Understand appropriate security education, training, and
awareness programs
Create personnel-related security policies and procedures
2
The Employee Lifecycle
Represents stages in the employee’s career
Lifecycle models can vary but most include the following stages
Recruitment
Onboarding
User provisioning
Orientation
Career development
Termination
Copyright 2014 Pearson Education, Inc.
3
10. Copyright 2014 Pearson Education, Inc.
4
What Does Recruitment Have to Do with Security?
Risks and rewards of posting online employment ads:
A company can reach a wider audience
A company can publish an ad that gives too much information:
About the network infrastructure and therefore allow a hacker to
footprint the internal network easily and stealthily
About the company itself, inviting social engineering attacks
4
Copyright 2014 Pearson Education, Inc.
5
Job Postings
Job descriptions are supposed to:
Convey the mission of the organization
Describe the position in general terms
Outline the responsibilities attached to said position
Outline the company’s commitment to security via the use of
such terms as non-disclosure agreement
Job descriptions are NOT supposed to:
Include information about specific systems, software versions,
security configurations, or access controls
It’s harder to hack a network if one doesn’t know what
hardware & software
If the above information is deemed necessary, two versions of
the position can be created. The second, more detailed version
should be posted internally and shared with candidates that have
11. made the “first cut”
5
Candidate Application Data
Companies are responsible for protecting the data and privacy
of the job seeker
Non-public personal information (NPPI) should not be collected
if possible
Copyright 2014 Pearson Education, Inc.
6
Copyright 2014 Pearson Education, Inc.
7
The Interview
Job Interview:
The interviewer should be concerned about revealing too much
about the company during the interview
Job candidates should never gain access to secured areas
A job interview is a perfect foot-printing opportunity for
hackers and social engineers
7
Copyright 2014 Pearson Education, Inc.
12. 8
Screening Prospective Employees
An organization should protect itself by running extensive
background checks on potential employees at all levels of the
hierarchy
Some higher level positions may require even more in-depth
checks
Many U.S. government jobs require prospective employees have
the requisite clearance level
8
Copyright 2014 Pearson Education, Inc.
9
Types of Background Checks
The company should have a basic background check level to
which all employees are subjected
Information owners may require more in-depth checks for
specific roles
Workers also have a right to privacy: Not all information is fair
game to gather – only information relevant to the actual work
they perform
Companies should seek consent from employees before
launching a background check
9
Copyright 2014 Pearson Education, Inc.
13. 10
Types of Background Checks Cont.
Educational records fall under FERPA. Schools must first have
written authorization before they can provide student-related
information
Motor vehicle records fall under DPPA, which means that the
DMV – or its employees – are not allowed to disclose
information obtained by the department
The FTC allows the use of credit reports prior to hiring
employees as long as companies do so in accordance with the
Fair Credit Reporting Act
10
Copyright 2014 Pearson Education, Inc.
11
Types of Background Checks Cont.
Bankruptcies may not be used as the SOLE reason to not hire
someone according to Title 11 of the U.S. Bankruptcy Code
Criminal history: The use of this sort of information varies from
state to state
Worker’s compensation records: In most states, these records
are public records, but their use may not violate the Americans
with Disabilities Act
11
What Happens in the Onboarding Phase?
14. The new hire is added to the organization’s payroll and benefit
systems
New employees must provide
Proof of identity
Work authorization
Tax identification
Two forms that must be completed
Form I-9
Form W-4
Copyright 2014 Pearson Education, Inc.
12
What Is User Provisioning?
The process of:
Creating user accounts and group memberships
Providing company identification
Assigning access rights and permissions
Assigning access devices such as tokens and/or smartcards
The user should be provided with and acknowledge the terms
and conditions of the Acceptable Use Agreement before being
granted access
Copyright 2014 Pearson Education, Inc.
13
What Should an Employee Learn During Orientation?
His responsibilities
Information handling standards and privacy protocols
Ask questions
Copyright 2014 Pearson Education, Inc.
14
15. Copyright 2014 Pearson Education, Inc.
15
The Importance of Employee Agreements
Confidentiality or non-disclosure agreements
Agreement between employees and organization
Defines what information may not be disclosed by employees
Goal: To protect sensitive information
Especially important in these situations:
When an employee is terminated or leaves
When a third-party contractor was employed
15
The Importance of Employee Agreements cont.
Acceptable Use Agreement
A policy contract between the company and information systems
user
Components of an Acceptable Use Agreement
Introduction
Data classifications
Applicable policy statement
Handling standards
Contacts
Sanctions for violations
acknowledgment
Copyright 2014 Pearson Education, Inc.
16
16. Copyright 2014 Pearson Education, Inc.
17
The Importance of Security Education and Training
Training employees
According to NIST: “Federal agencies […] cannot protect […]
information […] without ensuring that all people involved […]:
Understand their role and responsibilities related to the
organization’s mission
Understand the organization’s IT security policy, procedures
and practices
Have at least adequate knowledge of the various management,
operational and technical controls required and available to
protect the IT resources for which they are responsible”
17
Copyright 2014 Pearson Education, Inc.
18
The Importance of Security Education and Training cont.
Hackers adapt: If it is easier to use social engineering – i.e.,
targeting users – rather than hack a network device, that is the
road they will take
Only securing network devices and neglecting to train users on
information security topics is ignoring half of the threats
against the company
17. 18
Copyright 2014 Pearson Education, Inc.
19
What Is the SETA Model?
What is SETA?
Security Education Training and Awareness
Awareness is not training: It is focusing the attention of
employees on security topics to change their behavior
Security awareness campaigns should be scheduled regularly
Security training “seeks to teach skills” (per NIST)
Security training should NOT be dispensed only to the technical
staff but to all employees
19
Copyright 2014 Pearson Education, Inc.
20
Summary
18. A security policy that does not include personnel as a
permanent threat to the data owned by the company is
incomplete. Social engineering is more virulent than ever.
Failing to train users on security topics is a bad mistake and
may result in a lack of compliance for some federal mandates.
All users should sign the Acceptable Use Agreement before
receiving access to company’s systems and equipment
20